Let's Encrypt Wildcard Certificates with Cloudflare DNS and NGINX

With NGINX reverse proxies, getting a new SSL certificate with every single subdomain is a pain. However, Let’s Encrypt has something that helps with this: Wildcard certificates, which work for every subdomain of a given domain. With Cloudflare DNS, Certbot can use the Cloudflare API to add and remove the DNS verification elements automagically, making setup and renewal super easy.

To start off, install Certbot and the Cloudflare and NGINX Plugins. I’m using Centos, but the package names are the same on Ubuntu/Debian. I’m also installing nano as a text editor, since Centos doesn’t come with it out of the box.

That command will walk you through installing the certificates in your NGINX config file automatically, assuming you already have NGINX configured. Simply select the domains you want, and choose whether or not you want HTTP traffic to be redirected to HTTPS. Certbot will take care of modifying your configuration files, so you just have to reload NGINX after to apply the changes.

sudo systemctl reload nginx

To renew your certificates, you can just run certbot renew either manually or in your crontab to renew all of your Let’s Encrypt certificates automatically. I recommend testing it first, since it doesn’t seem to work on my system. However, running the previous Certbot command does renew the certificates if they need to be renewed.